Ubuntu does alright, and its infinitely better then windows 10 in terms of security & privacy out of the box :)
Not a big fan of canonical though, and I have some fears about the future directions they could take it, but for now I still recommend it because it usually just works..
Web security is the main way most people get infected, but even just running the browser inside virtualbox would be a massive upgrade over the average setup :)
On that topic, I also use ublock origin in my firefox installs to stop random javascript on every site, and I manually approve each one for my "trusted" browser.
I also have some untrusted disposable browsers, running everything like flash and java applets and pushing traffic via Burp proxy so I can intercept traffic whenever I want - tis nice having the option always available :)
I need to have a look at ublock origin. I use Adblock, but I know that's not perfect. I do allow ads on some sites I want to support, but I hear about malicious code in some ads. I used to run NoScript, but that could be a pain at times. It's amazing how much code some sites run.
I swapped from adblock to ublock because it seems to have some extra features and less memory usage :)
I noticed even my banks website loads dozens of external js files and facebook/twitter etc..